Copiers can be threat to security

Be careful when copying documents.

Ever needed a copy of your bank statement or tax return and taken it to the library or office supply store to run off a copy? Or maybe you sneaked it on the office copier?

You may have left your sensitive personal information behind, on the copier's hard drive.

Today's digital copiers function like computers. They store information into addition to reproducing it. If the hard drives aren't well-protected, or fall into the wrong hands, it could lead to lots of trouble for lots of people.

This is especially worrisome because many copiers are leased, not owned. When the lease is up, the copier is returned to the supplier, who can lease or sell it to someone else. Once your information is out the door, you don't know where it's going.

If you didn't know about this danger, you're not alone. A survey commissioned by Sharp Electronics Corp. in 2008 found 60 percent of those surveyed did not know digital copiers can store a document image that can be retrieved later.

"It's good that people understand the technology they're using," said Larry Kovnat, product security manager for Xerox. "To look at them, it looks like a copier. You can't tell from the outside whether it's got a disk drive on the inside."

An investigation earlier this year by CBS News revealed how easily documents can be retrieved. It found data stored on the hard drives of used copiers for sale could be accessed using software available for free on the Internet.

The documents retrieved by CBS during its investigation included information from Buffalo police on domestic violence cases, sex offenders and drug investigations. Also found were pay stubs from a New York construction company with names, addresses and Social Security numbers of employees, and records from a health insurance company that disclosed medical conditions.

Copier companies like Sharp and Xerox offer software that can encrypt and overwrite data on the hard drives of their machines. Xerox told me that feature is standard on many of its products. Sharp offers it as a separate package that about 15 percent of its customers buy.

This means you must be careful about where you copy your paperwork. Ask what procedures are in place to ensure you are protected. If no one can answer that question, find another place to copy your papers.

Many libraries have copiers available for public use, and this issue is serious enough that it is scheduled to be discussed at the annual conference of the American Library Association that concludes Tuesday.

Copy stores such as FedEx Office and Staples say they have procedures to protect customers.

The self-serve copiers at FedEx Office (formerly known as FedEx Kinko's) temporarily store a document image in a "protected" format, then delete the image after each use, spokeswoman Kellie Graddy told me.

Copiers used by employees to process full-service orders retain images in a protected format for 30 days in case the customer wants additional copies, Graddy said. The images are removed after 30 days, or can be purged immediately if the customer asks.

Employees who have access to customer documents must pass a background check and sign confidentiality agreements.

"It's something that we take very seriously because we want to protect our customer data," Graddy said. "We feel good about our machines and our people."

None of the black-and-white copiers in self-serve areas at Staples has hard drives, so customers don't have to worry when using those, Staples spokeswoman Amy Shanler said.

"For our digital copiers, we work with Xerox to ensure all data is secured with state-of-the-art encryption," she said. "In addition, once the machine is no longer in service, Xerox completely cleans the hard drive through a reimaging process."

The issue goes well beyond an individual occasionally using a copier.

Governments, businesses, schools and hospitals copy documents with sensitive information about taxpayers, customers, students and patients, not to mention their employees. We should be concerned about what's being done to protect our information stored on those copiers, too.

Lehigh Valley Health Network uses "a '7-Pass' overwrite technology to completely and securely remove any data on the hard drives," spokesman Brian Downs said. "This technology is the same method utilized by the Department of Defense for data removal."

Pennsylvania state government agencies must clear the hard drives of all media storage equipment before the equipment can be destroyed, returned when the lease expires or sold, according to a policy issued late last year.

The federal government keeps the hard drives of the digital copiers it leases, and destroys the drives when the leased copiers are returned to the supplier, according to the Federal Trade Commission.

At the prompting of U.S. Rep. Edward Markey, (D-Mass.), the commission is looking into how it can help protect consumers from digital copier security risks.